[perl #50322] CGITempFile causes "Insecure dependency in sprintf" in perl 5.10.0

# New Ticket Created by  Steve Hay 
# Please include the string:  [perl #50322]
# in the subject line of all future correspondence about this issue. 
# <URL: http://rt.perl.org/rt3/Ticket/Display.html?id=50322 >


This is a bug report for perl from SteveHay@planit.com,
generated with the help of perlbug 1.36 running under perl 5.10.0.


-----------------------------------------------------------------
[Please enter your report here]

Run the following program under perl 5.10.0 on Windows XP:

#!perl -wT
use strict;
use warnings;
BEGIN { $ENV{TMPDIR} = "$ENV{WINDIR}\\TEMP" };
use CGI;
my $tmpfile = new CGITempFile(1);
print "tmpfile='", $tmpfile->as_string(), "'\n";

This causes the error:

Insecure dependency in sprintf while running with -T switch at (eval 2)
line 6.

Under perl 5.8.8 it runs fine:

tmpfile='C:\WINDOWS\TEMP\CGItemp1'

The reason is the following item listed in perl5100delta:

"When perl is run under taint mode, printf() and sprintf() will now
reject any tainted format argument."

This causes a problem for CGI.pm, because CGITempFile::find_tempdir()
builds a hard-coded list of candidate temporary directories, but then
says:

unshift(@TEMP,$ENV{'TMPDIR'}) if defined $ENV{'TMPDIR'};

so this *tainted* candidate is the first one to be tried and is hence
selected as the value of $TMPDIRECTORY since in this case it happens to
exist.

The above error is then generated by CGITempFile::new when it uses this
*tainted* value in an sprintf() to build the temporary file name:

last if ! -f ($filename =
sprintf("${TMPDIRECTORY}${SL}CGItemp%d",$sequence++));

Obviously there are various ways around this (it's currently causing me
trouble with a Bugzilla system running on 5.10.0, and I've worked around
the problem by just commenting-out the unshift() line above so that the
tainted value is not a candidate), but I'm not sure what a good
permanent fix would be.


[Please do not change anything below this line]
-----------------------------------------------------------------
---
Flags:
    category=library
    severity=medium
---
Site configuration information for perl 5.10.0:

Configured by SYSTEM at Thu Jan 10 11:00:30 2008.

Summary of my perl5 (revision 5 version 10 subversion 0) configuration:
  Platform:
    osname=MSWin32, osvers=5.00, archname=MSWin32-x86-multi-thread
    uname=''
    config_args='undef'
    hint=recommended, useposix=true, d_sigaction=undef
    useithreads=define, usemultiplicity=define
    useperlio=define, d_sfio=undef, uselargefiles=define, usesocks=undef
    use64bitint=undef, use64bitall=undef, uselongdouble=undef
    usemymalloc=n, bincompat5005=undef
  Compiler:
    cc='cl', ccflags ='-nologo -GF -W3 -MD -Zi -DNDEBUG -O1 -DWIN32
-D_CONSOLE -DNO_STRICT -DHAVE_DES_FCRYPT -DUSE_SITECUSTOMIZE
-DPRIVLIB_LAST_IN_INC -DPERL_IMPLICIT_CONTEXT -DPERL_IMPLICIT_SYS
-DUSE_PERLIO -DPERL_MSVCRT_READFIX',
    optimize='-MD -Zi -DNDEBUG -O1',
    cppflags='-DWIN32'
    ccversion='14.00.50727.762', gccversion='', gccosandvers=''
    intsize=4, longsize=4, ptrsize=4, doublesize=8, byteorder=1234
    d_longlong=undef, longlongsize=8, d_longdbl=define, longdblsize=10
    ivtype='long', ivsize=4, nvtype='double', nvsize=8, Off_t='__int64',
lseeksize=8
    alignbytes=8, prototype=define
  Linker and Libraries:
    ld='link', ldflags ='-nologo -nodefaultlib -debug -opt:ref,icf
-libpath:"D:\Perl\lib\CORE"  -machine:x86'
    libpth=\lib
    libs=  oldnames.lib kernel32.lib user32.lib gdi32.lib winspool.lib
comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib
netapi32.lib uuid.lib ws2_32.lib mpr.lib winmm.lib  version.lib
odbc32.lib odbccp32.lib msvcrt.lib
    perllibs=  oldnames.lib kernel32.lib user32.lib gdi32.lib
winspool.lib  comdlg32.lib advapi32.lib shell32.lib ole32.lib
oleaut32.lib  netapi32.lib uuid.lib ws2_32.lib mpr.lib winmm.lib
version.lib odbc32.lib odbccp32.lib msvcrt.lib
    libc=msvcrt.lib, so=dll, useshrplib=true, libperl=perl510.lib
    gnulibc_version=''
  Dynamic Linking:
    dlsrc=dl_win32.xs, dlext=dll, d_dlsymun=undef, ccdlflags=' '
    cccdlflags=' ', lddlflags='-dll -nologo -nodefaultlib -debug
-opt:ref,icf  -libpath:"D:\Perl\lib\CORE"  -machine:x86'

Locally applied patches:
    ACTIVEPERL_LOCAL_PATCHES_ENTRY
    32809 Load 'loadable object' with non-default file extension
    32728 64-bit fix for Time::Local

---
@INC for perl 5.10.0:
    C:/Temp/Perl/site/lib
    C:/Temp/Perl/lib
    .

---
Environment for perl 5.10.0:
    HOME (unset)
    LANG (unset)
    LANGUAGE (unset)
    LD_LIBRARY_PATH (unset)
    LOGDIR (unset)
 
PATH=C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem;C:\batch;C:
\Program Files\Common Files\Roxio Shared\DLLShared\;c:\Program
Files\Microsoft SQL Server\90\Tools\binn\;C:\Program
Files\Subversion\bin;C:\Program Files\Sybase\SQL Anywhere
8\win32;C:\Program Files\Sybase\Shared\win32;C:\Program Files\Sybase\SQL
Anywhere 8\drivers;C:\Program Files\Sybase\Shared\Sybase Central
4.1;C:\Program Files\Sybase\Shared\Open Server\bin;C:\Program
Files\Sybase\Shared\Open Server\dll;C:\Program
Files\QuickTime\QTSystem\;C:\Program Files\Git\cmd;C:\Temp\Perl\bin
    PERL_BADLANG (unset)
    SHELL (unset)

• [perl #50322] CGITempFile causes "Insecure dependency in sprintf" in perl 5.10.0 by Steve Hay
• Re: [perl #50322] CGITempFile causes "Insecure dependency in sprintf"in perl 5.10.0 by Tim Jenness
• Re: [perl #50322] CGITempFile causes "Insecure dependency in sprintf"in perl 5.10.0 by Steffen Mueller
• RE: [perl #50322] CGITempFile causes "Insecure dependency in sprintf" in perl 5.10.0 by Steve Hay
• Re: [perl #50322] CGITempFile causes "Insecure dependency in sprintf" in perl 5.10.0 by Dr.Ruud
• Re: [perl #50322] CGITempFile causes "Insecure dependency in sprintf"in perl 5.10.0 by Steffen Mueller